Resolver: fixed off-by-one read in ngx_resolver_copy(). It is believed to be harmless, and in the worst case it uses some uninitialized memory as a part of the compression pointer length, eventually leading to the "name is out of DNS response" error.

commit: 3f6f3d9ac0b9af037de08512b5a9d4cd01e0a276 [log] [tgz]
author: Maxim Dounin <mdounin@mdounin.ru> Tue May 25 15:17:38 2021 +0300
committer: Maxim Dounin <mdounin@mdounin.ru> Tue May 25 15:17:38 2021 +0300
tree: d04138f8f25efa1e5cf7ad6bf9e47f5c15e8e9a0
parent: b5bd6cdee51bde6976a3ab52660a6a154471a68b [diff]
diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
index 63b2619..9b13172 100644
--- a/src/core/ngx_resolver.c
+++ b/src/core/ngx_resolver.c

@@ -3958,6 +3958,11 @@
         }
 
         if (n & 0xc0) {
+            if (p >= last) {
+                err = "name is out of DNS response";
+                goto invalid;
+            }
+
             n = ((n & 0x3f) << 8) + *p;
             p = &buf[n];
commit	3f6f3d9ac0b9af037de08512b5a9d4cd01e0a276	[log] [tgz]
author	Maxim Dounin <mdounin@mdounin.ru>	Tue May 25 15:17:38 2021 +0300
committer	Maxim Dounin <mdounin@mdounin.ru>	Tue May 25 15:17:38 2021 +0300
tree	d04138f8f25efa1e5cf7ad6bf9e47f5c15e8e9a0
parent	b5bd6cdee51bde6976a3ab52660a6a154471a68b [diff]